Obfuscation of user content in user data files

ABSTRACT

Systems, methods, and software for data obfuscation frameworks for user applications are provided herein. An exemplary method includes providing user content to a classification service configured to process the user content to classify portions of the user content as comprising sensitive content, and receiving from the classification service indications of the user content that contains the sensitive content. The method includes presenting graphical indications in a user interface to the user application that annotate the user content as containing the sensitive content, and presenting obfuscation options in the user interface for masking the sensitive content within at least a selected portion among the user content. Responsive to a user selection of at least one of the obfuscation options, the method includes replacing associated user content with obfuscated content that maintains a data scheme of the associated user content.

RELATED APPLICATIONS

This application is a continuation of, and claims priority to, U.S.patent application Ser. No. 15/467,029, entitled “OBFUSCATION OF USERCONTENT IN STRUCTURED USER DATA FILES,” and filed Mar. 23, 2017, whichis hereby incorporated by reference in its entirety.

BACKGROUND

Various user productivity applications allow for data entry and analysisof user content. These applications can provide for content creation,editing, and analysis using spreadsheets, presentations, text documents,mixed-media documents, messaging formats, or other user content formats.Among this user content, various textual, alphanumeric, or othercharacter-based information might include sensitive data that users ororganizations might not want to include in published or distributedworks. For example, a spreadsheet might include social security numbers(SSNs), credit card information, health care identifiers, or otherinformation. Although the user entering this data or user content mighthave authorization to view the sensitive data, other entities ordistribution endpoints might not have such authorization.

Information protection and management techniques can be referred to asdata loss protection (DLP) that attempts to avoid misappropriation andmisallocation of this sensitive data. In certain content formats orcontent types, such as those included in spreadsheets, slide-basedpresentations, and graphical diagramming applications, user contentmight be included in various cells, objects, or other structured orsemi-structured data entities. Moreover, sensitive data might be splitamong more than one data entity. Difficulties can arise when attemptingto identify and protect against sensitive data loss when such documentsinclude sensitive data.

OVERVIEW

Systems, methods, and software for data obfuscation frameworks for userapplications are provided herein. An exemplary method includes providinguser content to a classification service configured to process the usercontent to classify portions of the user content as comprising sensitivecontent, and receiving from the classification service indications ofthe user content that contains the sensitive content. The methodincludes presenting graphical indications in a user interface to theuser application that annotate the user content as containing thesensitive content, and presenting obfuscation options in the userinterface for masking the sensitive content within at least a selectedportion among the user content. Responsive to a user selection of atleast one of the obfuscation options, the method includes replacingassociated user content with obfuscated content that maintains a datascheme of the associated user content.

This Overview is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. It may be understood that this Overview is not intended toidentify key features or essential features of the claimed subjectmatter, nor is it intended to be used to limit the scope of the claimedsubject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

Many aspects of the disclosure can be better understood with referenceto the following drawings. While several implementations are describedin connection with these drawings, the disclosure is not limited to theimplementations disclosed herein. On the contrary, the intent is tocover all alternatives, modifications, and equivalents.

FIG. 1 illustrates a data loss protection environment in an example.

FIG. 2 illustrates elements of a data loss protection environment in anexample.

FIG. 3 illustrates elements of a data loss protection environment in anexample.

FIG. 4 illustrates operations of data loss protection environments in anexample.

FIG. 5 illustrates operations of data loss protection environments in anexample.

FIG. 6 illustrates operations of data loss protection environments in anexample.

FIG. 7 illustrates operations of data loss protection environments in anexample.

FIG. 8 illustrates data threshold operations of data loss protectionenvironments in an example.

FIG. 9 illustrates a computing system suitable for implementing any ofthe architectures, processes, platforms, services, and operationalscenarios disclosed herein.

DETAILED DESCRIPTION

User productivity applications provide for user data and contentcreation, editing, and analysis using spreadsheets, slides, vectorgraphics elements, documents, emails, messaging content, databases, orother application data formats and types. Among the user content,various textual, alphanumeric, or other character-based informationmight be included. For example, a spreadsheet might include socialsecurity numbers (SSNs), credit card information, health careidentifiers, passport numbers, or other information. Although the userentering this data or user content might have authorization to view thesensitive data, other entities or distribution endpoints might not havesuch authorization. Various privacy policies or data privacy rules canbe established that indicate which types of data or user content aresensitive in nature Enhanced data loss protection (DLP) measuresdiscussed herein can be incorporated to attempt to avoidmisappropriation and misallocation of this sensitive data.

In certain content formats or content types, such as those included inspreadsheets, slide-based presentations, and graphical diagrammingapplications, user content might be included in various cells, objects,or other structured or semi-structured data entities. Moreover,sensitive data might be split among more than one data element or entry.The examples herein provide for enhanced identification of sensitivedata in user data files that include structured data elements. Moreover,the examples herein provide for enhanced user interfaces for alertingusers to sensitive data. These user interface elements can includemarking individual sensitive data-containing data elements, as well asthresholds for alerting during editing of the content.

In one example application that uses structured data elements, such as aspreadsheet application, data can be entered into cells that arearranged into columns and rows. Each cell can contain user data or usercontent and can also include one or more expressions that are used toperform calculations, which can reference user-entered data in one ormore other cells. Other user applications, such as slide showpresentation applications, can include user content on more than oneslide as well as within objects included on these slides.

Advantageously, the examples and implementations herein provided forenhanced operations and structures for data loss protection services.These enhanced operations and structures have technical effects offaster identification of sensitive content within documents andespecially for structured documents, such as spreadsheets,presentations, graphical drawings, and the like. Moreover, multipleapplications can share a single classification service that providesdetection and identification of sensitive content in user data filesacross many different applications and end user platforms. End-userlevel annotation and obfuscation processes also provide significantadvantages and technical effects in the user interfaces to applications.For example, users can be presented with graphical annotations ofsensitive content, and popup dialog boxes that present variousobfuscation or masking options. Various enhanced annotation thresholdscan also be established to dynamically indicate sensitive content tousers to make user content editing and sensitive data obfuscation moreefficient and compliant with various data loss protection policies andrules.

As a first example of a data loss protection environment for a userapplication, FIG. 1 is provided. FIG. 1 illustrates data loss protectionenvironment 100 in an example. Environment 100 includes user platform110 and data loss protection platform 120. The elements of FIG. 1 cancommunicate over one or more physical or logical communication links. InFIG. 1, links 160-161 are shown. However, it should be understood thatthese links are only exemplary and one or more further links can beincluded, which might include wireless, wired, optical, or logicalportions.

A data loss protection framework can include portion local to a specificuser application, and a shared portion employed across manyapplications. User platform 110 provides an application environment fora user to interact with elements of user application 111 via userinterface 112. During user interaction with application 111, contententry and content manipulation might be performed. Application data lossprotection (DLP) module 113 can provide portions of the functionalityfor sensitive data annotation and replacement within application 111.Application DLP module 113 is local to user platform 110 in thisexample, but might instead be separate from or integrated intoapplication 111. Application DLP module 113 can provide for sensitivedata annotation and replacement for users and application 111. Data lossprotection platform 120 provides a shared portion of a data lossprotection framework, and provides a shared DLP service 121 for manyapplications to share, such as applications 190 with associated locationDLP portion 193.

In operation, application 111 provides user interface 112 through whichusers can interact with application 111, such as to enter, edit, andotherwise manipulate user content which can be loaded via one or moredata files or entered via user interface 112. In FIG. 1, a spreadsheetworkbook is shown with cells arranged into rows and columns. As a partof application 111, a data loss protection service is provided thatidentifies sensitive user content and allows the users to replace thesensitive user content with safe text or data. The sensitive contentcomprises content that might have privacy concerns, privacypolicies/rules, or other properties for which dissemination would beundesired or unwanted. Data loss in this context refers to thedissemination of the private or sensitive data to unauthorized users orendpoints.

To identify the sensitive content, application 111 provides apportionsthe user content into pieces or chunks of the user content to a dataloss protection service. In FIG. 1, content portions 140 are shown withindividual content portions 141-145 being provided over time to DLPservice 121. Typically, application 111 can process the user content toapportion the user content into the portions during idle periods, suchas when one or more processing threads related to application 111 areidle or below activity thresholds. As will be discussed herein,structured user content is transformed into a ‘flattened’ ornon-structured arrangement during the apportionment process. Thisnon-structured arrangement has several advantages for processing by DLPservice 121.

DLP service 121 then processes each portion or ‘chunk’ of user contentindividually to determine if the portions contain sensitive content.Various classification rules 125, such as data schemes, data patterns,or privacy policies/rules can be in introduced to DLP service 121 foridentification of the sensitive data. After DLP service 121 parsesthrough each individual chunk of user content, location offsets of thesensitive data in the user data file are determined an indicated toapplication DLP service 113. A mapper function in application DLPservice 113 determines a structural relationship between chunk offsetsand the structure of the document. Indications of the location offsets,sensitive data lengths, and sensitive data types can be provided toapplication 111, as seen for example sensitive data indications 150. Thelocation offsets indicated by DLP service 121 might not produce an exactor specific location among the structural elements of the user data filefor the sensitive content. In these instances, a mapping process can beemployed by application DLP service 113 of application 111 to determinespecific structural elements that contain the sensitive data.

Once specific locations are determined, then application 111 canannotate the sensitive data within user interface 112. This annotationcan include global or individual flagging or marking of the sensitivedata. The annotations can comprise ‘policy tips’ presented in a userinterface. Users can then be presented with one or more options toobfuscate or otherwise render the user content unidentifiable as theoriginal sensitive content. Various thresholds on notification of thesensitive content can be established that trigger on counts orquantities of the sensitive data present in the user data file.

In one example, user data file 114 includes content 115, 116, and 117 inparticular cells of user data file 114, which might be associated with aparticular worksheet or page of the spreadsheet workbook. Variouscontent can be included in the associated cells, and this content mightcomprise potentially sensitive data, such as the examples seen in FIG. 1for SSNs, phone numbers, and addresses. Some of this content might crossstructural boundaries in the user data file, such as spanning multiplecells or spanning multiple graphical objects. If the ‘chunk’ apportionsthe data into rows or row groupings, then flattened representations(i.e. stripped of any structural content) can still identify sensitivedata within one or more cells.

Elements of each of user platform 110 and DLP platform 120 can includecommunication interfaces, network interfaces, processing systems,computer systems, microprocessors, storage systems, storage media, orsome other processing devices or software systems, and can bedistributed among multiple devices or across multiple geographiclocations. Examples of elements of each of user platform 110 and DLPplatform 120 can include software such as an operating system,applications, logs, interfaces, databases, utilities, drivers,networking software, and other software stored on a computer-readablemedium. Elements of each of user platform 110 and DLP platform 120 cancomprise one or more platforms which are hosted by a distributedcomputing system or cloud-computing service. Elements of each of userplatform 110 and DLP platform 120 can comprise logical interfaceelements, such as software defined interfaces and ApplicationProgramming Interfaces (APIs).

Elements of user platform 110 include application 111, user interface112, and application DLP module 113. In this example, application 111comprises a spreadsheet application. It should be understood that userapplication 111 can comprise any user application, such as productivityapplications, communication applications, social media applications,gaming applications, mobile applications, or other applications. Userinterface 112 comprises graphical user interface elements that canproduce output for display to a user and receive input from a user. Userinterface 112 can comprise elements discussed below in FIG. 9 for userinterface system 908. Application DLP module 113 comprises one or moresoftware elements configured to apportion content for delivery to aclassification service, annotate data indicated as sensitive, andobfuscate sensitive data, among other operations.

Elements of DLP platform 120 include DLP service 121. DLP service 121includes an external interface in the form of application programminginterface (API) 122, although other interfaces can be employed. DLPservice 121 also include tracker 123 and classification service 124,which will be discussed in more detail below. API 122 can include one ormore user interfaces, such as web interfaces, APIs, terminal interfaces,console interfaces, command-line shell interfaces, extensible markuplanguage (XML) interfaces, among others. Tracker 123 maintains counts orquantities of sensitive data found for a particular document withinflattened portions of structured user content, and also maintains arecord of location offsets within the flattened portions of structureduser content that correspond to locations of sensitive data withinstructured user content. Tracker 123 can also perform threshold analysisto determine when threshold quantities of sensitive data are found andshould be annotated by application DLP module 113. However, in otherexamples, the threshold/count portions of DLP service 121 might beincluded in DLP module 113. Classification service 124 parses throughflattened user content to determine presence of sensitive data, and canemploy various inputs that define rules and policies for identifying thesensitive data. Elements of application DLP module 113 and shared DLPservice 121 might be configured in different arrangements ordistributions that shown in FIG. 1, such as when portions of shared DLPservice 121 are included in application DLP module 113 or application111, among other configurations. In one example, portions of shared DLPservice 121 comprise a dynamic linked library (DLL) included on userplatform 110 for use by application 111 and application DLP module 113.

Links 160-161, along with other links not shown among the elements ofFIG. 1 for clarity, can each comprise one or more communication links,such as one or more network links comprising wireless or wired networklinks. The links can comprise various logical, physical, or applicationprogramming interfaces. Example communication links can use metal,glass, optical, air, space, or some other material as the transportmedia. The links can use various communication protocols, such asInternet Protocol (IP), Ethernet, hybrid fiber-coax (HFC), synchronousoptical networking (SONET), asynchronous transfer mode (ATM), TimeDivision Multiplex (TDM), circuit-switched, communication signaling,wireless communications, or some other communication format, includingcombinations, improvements, or variations thereof. The links can bedirect links or may include intermediate networks, systems, or devices,and can include a logical network link transported over multiplephysical links.

For a further discussion of the elements and operation of environment100, FIG. 2 is presented. FIG. 2 is a block diagram illustrating exampleconfiguration 200 of application DLP module 113, which highlightsexample operations of application DLP module 113, among other elements.In FIG. 2, application DLP module 113 includes content apportioner 211,annotator 212, mapper 213, and obfuscator 214. Each of elements 211-214can comprise software modules employed by application DLP module 113 tooperate as discussed below.

In operation, user content is provided to application DLP module 113,such as a spreadsheet file or workbook as seen in FIG. 1 for user datafile 114. This user data file can be organized into a structured orsemi-structured format, such as cells organized by rows and columns fora spreadsheet example. Other data formats can instead be employed, suchas slide show presentations having pages/slides and many individualgraphical objects, vector drawing programs with various objects onvarious pages, word processing documents with various objects (tables,text boxes, pictures), databases, web page content, or other formats,including combinations thereof. The user data files might containsensitive content or sensitive data. This sensitive data can include anyuser content that fits one or more patterns or data schemes. Examplesensitive data types include social security numbers, credit cardnumbers, passport numbers, addresses, phone numbers, or otherinformation.

In parallel with editing or viewing of the user data file, contentapportioner 211 subdivides the user content into one or more portions or‘chunks’ which are in a flattened form from the original/nativestructured or hierarchical form. Content apportioner 211 can thenprovide these content chunks to shared DLP service 121, along with chunkmetadata for each chunk. The chunk metadata can indicate various chunkproperties, such as a location offset of the chunk in the total contentand a length of the chunk. The location offset corresponds to a locationof the chunk in relation to the overall user document/file, and thechunk length corresponds to a size of the chunk.

Shared DLP service 121 individually parses the content chunks toidentify sensitive data among the flattened user content of the chunks,and provides indications of the sensitive data back to application DLPmodule 113. In some examples discussed below, various thresholds areapplied to counts or quantities of sensitive data before indications areprovided to application DLP module 113. The indications comprise offsetsfor each of the chunks that contain sensitive data, lengths of thechunks, and optionally indicators of data types or data schemesassociated with the sensitive data. The sensitive data indications canbe employed to determine actual or specific locations of the sensitivecontent among the structured data of the user data file. The indicatorsof the data types can be symbolically or numerically encoded indicators,such as integer values, that are referenced to a listing of indicatorsthat mapper 213 can used to identify the data types for annotation.

Mapper 213 can be employed to convert the offsets and lengths intospecific locations within a document or user file. The offsets andlengths correspond to specific chunk identities that are maintained bymapper 213 and stored in association with a session identifier. Thesession identifier can be a unique identifier that persists at least aslong as the session during which the user has the document open orviewed. Mapper 213 can be provided with chunk metadata from contentapportioner 211 to form mapped relationships between the chunk offsets,lengths, and session identifiers. Responsive to receiving indications ofthe sensitive data, mapper 213 can employ the mapped relationships toidentify coarse locations indicated for the sensitive data to within adocument that correspond to the chunk offset and lengths. Since thechunks might encompass more than one structural or hierarchical elementof the user data file, mapper 213 might perform further locationprocesses to find specific locations in the user data file for thesensitive data.

For example, the offsets might indicate coarse locations such as aparticular row or particular column in a spreadsheet. To determine aspecific location, such as a cell within the indicated row or column,mapper 213 can use the offsets/lengths along with local knowledge of thestructured data and the user data file itself to locate the sensitivecontent among the structured data. Mapper 213 determines where in theuser data file that the chunks are provided from, such as associatedrows, columns, worksheets for spreadsheet examples, and associatedslides/pages and objects for slideshow examples. Other examples, such asword processing examples, might not have much structure, and the contentis more readily flattened and offsets can be based on document wordcounts or similar positioning.

In some examples, specific locations are determined by searching for thesensitive content in a particular coarse location. When multiplestructural elements or hierarchical elements are implicated by aparticular offset, the mapper 213 can iteratively search or walk througheach of the elements to locate the sensitive data. For example, if thereare ‘n’ levels of structure/hierarchy in a document, then mapper 213 cannavigate upper hierarchies first and then lower hierarchies afterwards.In spreadsheet examples, the hierarchy/structure might compriseworksheets having associated rows and columns. In presentation documentexamples, the hierarchy/structure might comprise slides/pages havingassociated shapes/objects. Each worksheet and slide indicated by theoffset can be progressed through to find the exact cells or objects thatcontain the sensitive content. In further examples, locating thesensitive data can be done by re-creating one or more chunks associatedwith the coarse location and finding the sensitive data within thosere-created chunks to find the specific location of the sensitive data.

Once the specific locations of the sensitive data have been determined,then annotator 212 can be employed to mark or otherwise flag thesensitive data to a user. This annotation can take the form of a globalflag or banner that indicates to the user that sensitive content ispresent in the user data file. This annotation can take the form ofindividual flags that indicate marks proximate to the sensitive data. Inone example, FIG. 2 shows configuration 201 with a view of a spreadsheetuser interface that has a workbook presently open for viewing orediting. A banner annotation 220 is shown as well as individual cellannotations 221. Individual cell annotations 221 comprise graphicalindications that annotate one or more portions of the user content andcomprise indicators positioned proximate to the one or more portionsthat are selectable in user interface 112 to present obfuscationoptions.

A user can be presented with one or more options when a particularannotation is selected. Popup menu 202 might be presented that includesvarious viewing/editing options, such as cut, copy, paste, among others.Popup menu 202 can also include obfuscation options. Selection of one ofthe obfuscation options can produce obfuscated content that maintains adata scheme of the associated user content, and comprises symbolsselected to prevent identification of the associated user content whilemaintaining the data scheme of the associated user content. In someexamples, the symbols are selected based in part on the data scheme ofthe associated user content, among other considerations. For instance,if the data scheme includes a numerical data scheme, then letters mightbe used as the obfuscation symbols. Likewise, if the data schemeincludes an alphabetic data scheme, then numbers might be used as theobfuscation symbols. Combinations of letters and numbers, or othersymbols, might be selected as the obfuscation symbols in alphanumericalcontent examples.

In FIG. 2, a first obfuscation option includes replacing the sensitivecontent with masked or otherwise obfuscated text, while a secondobfuscation option includes replacing all content with a pattern or datascheme similar to the content of the currently selected annotation. Forexample, if a SSN is included in a cell, a user might be presented withoptions to replace the digits in the SSN with ‘X’ characters whileleaving intact a data scheme of the SSN, i.e. leaving in the familiar“3-2-4” character arrangement separated by dash characters. Moreover, afurther obfuscation option can include an option to replace all of theSSNs that fit the pattern of the selected SSN with ‘X’ characters. Itshould be understood that different example obfuscation options can bepresented, and different characters can be used in the replacementprocess. However, regardless of the obfuscation characters employed, thesensitive data is rendered anonymized, sanitized, ‘clean,’ orunidentifiable as the original content.

Turning now to FIG. 3, example configuration 300 is shown to focus onaspects of DLP service 121. In FIG. 3, DLP service 121 receives portionsof flattened user content, provided in one or more content chunks bycontent apportioner 211, along with chunk metadata that at leastincludes offsets into the total content and lengths of the chunks. Twoexample types of structured user content are shown in FIG. 3, namelyspreadsheet content 301 and slideshow/presentation content 302.Spreadsheet content 301 has structure reflecting rows 321 and columns322 that define individual cells. Moreover, spreadsheet content 301might have more than one worksheet 320 that is delimited by tabs belowthe worksheet, and each worksheet can have a separate set ofrows/columns. Each cell might have user content, such as characters,alphanumeric content, text content, numerical content, or other content.Slideshow content 302 can have one or more slides or pages 323 thatinclude a plurality of objects 324. Each object might have user content,such as characters, alphanumeric content, text content, numericalcontent, or other content.

Content apportioner 211 subdivides the user content into pieces andremoves any associated structure, such as by extracting any usercontent, such as text or alphanumeric content, from cells or objects andthen arranging the extracted content into flattened or linear chunks fordelivery to DLP service 121. These chunks and chunk metadata areprovided to DLP service 121 for discovery of potential sensitive data.

Once the individual chunks of user content are received by DLP service121, various processing is performed on the chunks by classificationservice 124. Also, tracker 123 maintains data records 332 comprising oneor more data structures that relate the offsets/lengths and sessionidentifier to counts of sensitive data found. Data records 332 arestored for that DLP service 121 to provide the offsets/lengths forchunks that contain sensitive data back to a requesting application forfurther locating and annotation of any sensitive content found therein.

Classification service 124 parses each of the chunks against variousclassification rules 331 to identify sensitive data or sensitivecontent. Classification rules 331 can establish one or morepredetermined data schemes defined by one or more expressions used toparse the flattened chunks/data representations to identify portions ofthe chunks as being indicative of one or more predetermined contentpatterns or one or more predetermined content types.

The sensitive content is typically identified based on a data structuralpattern or data ‘scheme’ that is associated with sensitive content.These patterns or schemes can identify when the exact contents of thechunks might differ, but the data might fit a pattern or arrangementthat reflects sensitive data types. For example, a SSN might have acertain data arrangement having a predetermined number of digitsintermixed and separated by a predetermined number of dashes.Classification rules 331 can include various definitions and policiesused in identification of sensitive data. These classification rules caninclude privacy policies, data patterns, data schemes, and thresholdpolicies. The privacy policies might indicate that certain potentiallysensitive data might not be indicated as sensitive to an application dueto company, organization, or user policies, among other considerations.The threshold policies might establish minimum thresholds for findingsensitive data in the various chunks before the presence of sensitivedata is reported to the application. Classification rules 331 can beestablished by users or by policy makers, such as administrators.

Additionally, classification service 124 can process the data contentthrough one or more regular expressions handled by regular expression(regex) service 333. Regex service 333 can include regular expressionmatching and processing services, along with various regular expressionsthat a user or policy maker might deploy for identification of sensitivedata. Further examples of regex service 333 are discussed below in FIG.7.

As a specific example, classification process 341 illustrates severalcontent chunks C₁-C₈ that are linearized versions of content originallyin a structural or hierarchical arrangement in a document or user datafile. Classification service 124 processes these chunks to identify onesof the chunks that comprise sensitive data. If any sensitive data isfound, indications can be provided to the application. The indicationscan comprise offsets and lengths for the sensitive data, and areprovided for mapper 213 to locate the sensitive data within thestructure of the user data file. The chunks themselves can be discardedby classification service 124 after each chunk is processed forsensitive data identification. Since the offsets and lengths allowfinding of the sensitive data within the original data file, and theoriginal content remains in the data file (unless intervening edits haveoccurred), then the actual chunks need not be saved once processed.

To form the chunks, content apportioner 211 bundles alphanumericcontent, such as text, into one or more linear data structures, such asstrings or BSTRs (basic strings or binary strings). Classificationservice 124 processes the linear data structures and determines a listof results. The chunks are checked for sensitive data, and portions ofthe linear data structures can be determined as having sensitivecontent. Classification service 124 in conjunction with tracker 123determine offsets/lengths corresponding to chunks that contain sensitivedata among the linear data structures. These offsets can indicate coarselocations which can be translated back to specific locations in theoriginal document (e.g. user data file) containing the user content.When the chunks are received, tracker 123 can correlate each chunk tooffset/length information indicated in the chunk metadata. Thisoffset/length information can be used to reverse-map to the structure orhierarchy of the original document by mapper 213.

However, DLP service 121 typically only has a partial context back tothe original document or user data file, such as indicated by theoffsets into the originally-generated linear data structures. Moreover,the linear data structures and user content themselves might have beenreleased/deleted by classification service 124 at the end of aclassification process. This can mean that classification service 124may not be able to directly search for the sensitive content tospecifically localize the sensitive content within the originaldocument, and even if classification service 124 could search for theprecise sensitive content classification service 124 might not be ableto find the sensitive content because the ‘chunking’ algorithm mightcross boundaries of hierarchical constructs or structures in theoriginal document or data file. As a specific example, worksheet 320 ina spreadsheet document can have text “SSN 123 45 6789” spanning acrossfour adjacent cells. Advantageously, classification service 124 can findthis text as comprising sensitive content. However, due to theboundary-crossing analysis by classification service 124, at the end ofpolicy rule evaluation, classification service 124 typically does nothave enough data to find the sensitive content in the original documentfor presentation to a user. A user might be left with an incorrectimpression that no sensitive content was present.

In order to efficiently scan the user content for sensitive content,classification service 124 reads in a chunk of user content at a timeduring application idle, does a partial analysis, and continues theprocess. When classification service 124 gets done with reading all ofthe content, classification service 124 only has coarse positions forsensitive content in the original content, such as only a start/offsetand a length. In order to map back on to a structured or semi-structureddocument efficiently, a combination of techniques can be employed bymapper 213. It should be noted that these techniques differ from how aspell check or grammar check might work, in part because the totalcontent may be required, rather than just a word/sentence/paragraph, inorder to understand if the content has exceeded a threshold.

For every level of physical hierarchy or structure present in theoriginal document (i.e. worksheets in a workbook, or slides in apresentation) mapper 213 uses an identifier to indicate existence in amapping data structure, and further subdivide by a reasonable number oflevels of hierarchy (i.e. rows in a worksheet, shapes in a slide) thecontent such that as each one is processed, mapper 213 keeps track ofthe length of the original content, and based on the order of insertioninto the map, the implicit start of that element. The identifier mightbe a process-durable identifier that persists between open instances ofa particular document, or might be different in each instance of theparticular document. In some examples, calculations to amalgamate thepresence/absence of sensitive content is withheld until there is noremaining unprocessed content nor any edits pending that would furtherchange the content.

Assuming there is sensitive content, mapper 213 receives from DLPservice 121 a start and length of each piece of sensitive content andmapper 213 performs a look up in the mapping data structure of theidentifiers and insets of the sensitive content within the most precisemapped region to find the exact location. For performance reasons, onlya certain number of levels of hierarchy might be tracked, so that atable inside of a shape inside of a slide, or a cell inside of a rowinside of a worksheet might not be individually tracked. Therefore, apartial re-walk may be performed after doing a reverse mapping in orderto find the precise location.

In a specific example, a workbook might have 20 worksheets, but millionsof rows and each of the millions of rows might have 50 columns of userdata. For a relatively small number of pieces of sensitive data in this(i.e. one sheet has only one column with sensitive data), theclassification process can become extremely memory intensive to have20*1 million*50 remembered ‘length+offset’ pieces of data. Removing thelast dimension is a 50× savings in memory, for a small computation costat the time that the sensitive data is actually being identified in theoriginal document. Advantageously, a small memory footprint can bemaintained to reverse map the start/lengths back onto the originalcontent.

To further illustrate the operation of the elements of FIGS. 1-3, a flowdiagram is presented in FIG. 4. Two main flows are presented in FIG. 4,namely a first flow 400 for identification of sensitive data, and asecond flow 401 for annotation and obfuscation of sensitive data. Firstflow 400 can feed into second flow 401, although other configurationsare possible.

In FIG. 4, DLP service 121 receives (410) subsets of structured usercontent consolidated into associated flattened representations, each ofthe associated flattened representations having a mapping to acorresponding subset of the structured user content. As mentioned above,the structured content might comprise spreadsheet content organized intosheets/rows/columns, or might instead include other structures such asslideshow content organized into slides/objects, drawing program contentorganized into pages/objects, or text content organized into pages,among other structures. These subsets of the structured user content caninclude ‘chunks’ 141-146 shown in FIG. 1 or chunks C₁-C₈ in FIG. 3,among others. The structure of the underlying user content is flattenedor removed in these subsets to form the chunks, and each the subsets canmap back to the original structure by referencing structural identifiersor localizers, such as sheets/rows/columns or slides/objects, forexample.

DLP service 121 receives these chunks and chunk metadata, such as overlink 160 or API 122 in FIG. 1, and individually parses (411) theflattened representations to classify portions as comprising sensitivecontent corresponding to one or more predetermined data schemes.Classification rules 125 can establish the one or more predetermineddata schemes defined by one or more expressions used to parse theflattened chunks/data representations to identify portions of the chunksas being indicative of one or more predetermined content patterns or oneor more predetermined content types.

If sensitive data is found (412), then for each of the portions, DLPservice 121 determines (413) an associated offset/length relating to thestructured user content indicated as maintained in tracker 123 in datarecords 332. DLP service 121 then indicates (414) at least theassociated offset/length for the portions to user application 111 formarking of the sensitive content in user interface 112 to userapplication 111. If no sensitive data is found, or if any associatedthresholds are not met, then further processing of chunks can continueor further monitoring for additional chunks as provided by userapplication 111. Moreover, editing or changing of the user content mightprompt additional or repeated classification processes for any changedor edited user content.

Application DLP module 113 receives (415) from the classificationservice of DLP service 121 indications of one or more portions of theuser content that contain the sensitive content, where the indicationscomprise offsets/lengths associated with the sensitive content.Application DLP module 113 presents (416) graphical indications in userinterface 112 to user application 111 that annotate the one or moreportions of the user content as containing the sensitive content.Application DLP module 113 can then present (417) obfuscation options inuser interface 112 for masking the sensitive content within at least aselected portion among the one or more portions of the user content.Responsive to a user selection of at least one of the obfuscationoptions, application DLP module 113 replaces (418) associated usercontent with obfuscated content that maintains a data scheme of theassociated user content.

FIG. 5 illustrates sequence diagram 500 to further illustrate theoperation of the elements of FIGS. 1-3. Furthermore, FIG. 5 includesdetailed example structure 510 for some of the process steps in FIG. 5.In FIG. 5, application 111 might open a document for viewing or editingby a user. This document can be detected by application DLP module 113.Any associated policies or classification rules can be pushed to DLPservice 121 to defined any classification policies. DLP service 121 canthen maintain a processing instance of the open document in record 332,which might include a listing of several open documents. When idleprocessing timeframes of application 111 are detected by DLP module 113,an idle indicator can be presented to DLP service 121, whichresponsively requests chunks of user content for classification.Alternatively, DLP module 113 can push user content chunks to DLPservice 121 during idle periods of application 111. DLP module 113apportions the user content into chunks, and these chunks might bedetermined based on text or other content included in structures orhierarchical objects of the document. Once the chunks have beendetermined, DLP module 113 transfers chunks to DLP service 121 forclassification. DLP service 121 classifies each chunk individually andapplies classification rules to the chunks to identify potentiallysensitive user content among the chunks. This classification process canbe an iterative process to ensure all chunks transferred by DLP module113 have been processed. If sensitive data or content is found among thechunks, then DLP service 121 indicates the presence of the sensitivedata to DLP module 113 for further handling. As mentioned herein, thesensitive data can be indicated by offsets, coarse locations, or otherlocation information, as well as length information. DLP module 113 canthen perform one or more annotation processes and obfuscation processeson the sensitive data in the document.

The classification rules can be established ahead of the classificationprocess, such as by users, administrators, policy personnel, or otherentities. As seen in structure 510, various rules 511 and 512 can bebased upon one or more predicates. Predicates are shown in twocategories in FIG. 5, content related predicates 511 and access relatedpredicates 512. Content related predicates 511 can comprise data schemesthat indicate sensitive data, such as data patterns, data structuralinformation, or regular expressions that define the data schemes. Accessrelated predicates 512 comprise user-level, organization-level, or otheraccess-based rules, such as content sharing rules that define whensensitive data is not desired for dissemination or release by particularusers, organizations, or other factors.

Policy rules 513 can be established that combine one or more of thecontent related predicates and access related predicates into policies551-554. Each policy rule also has a priority and an associated action.In general, the priority matches the severity of the action. Forexample, a policy rule might define that ‘save’ features of theapplication are to be blocked. In another example policy rule, usercontent might contain SSNs that are defined according to a contentrelated predicate, but according to an access related predicate, theseSSNs might be acceptable to disseminate. Most policy rules contain atleast one classification predicate among predicates 511-512. Thesepolicies can effect one or more actions 514. The actions can includevarious annotation operations that an application might take in responseto the identification or sensitive content, such as notification of auser, notification but allowing for a user override, blocking offeatures/functions (i.e. ‘save’ or ‘copy’ features), and justifiedoverrides, among others.

FIG. 6 illustrates flow diagram 600 to further illustrate the operationof the elements of FIGS. 1-3. FIG. 6 focuses on one example entireprocess of sensitive data identification, annotation, and obfuscationprocesses. Sub-process 601 comprises policy and rule establishment,storage, and retrieval. These policies and rules can annotation rules,classification rules, regular expressions, organizational/user policies,among other information discussed herein. In operation 611 of FIG. 6,various detection rules 630 and replacement rules 631 can be introducedvia a user interface or API for configuring detection policies.Detection rules 630 and replacement rules 631 can comprise variouspredicates and rules as found in FIG. 5, among others. Users,administrators, policy personnel, or other entities can introducedetection rules 630 and replacement rules 631, such as by establishingpolicies for users, organizations, or application usage, among otherentities and activities. Detection rules 630 and replacement rules 631can be stored on one or more storage systems in operation 612 for laterusage. When one or more clients desire to use the policies establishedby detection rules 630 and replacement rules 631, these policies can bedownloaded or retrieved in operation 613. For example, annotation rulesmight be downloaded by an application for use in annotating sensitivecontent in a user interface, whereas classification rules might bedownloaded by a shared DLP service for classifying user content assensitive content.

Sub-process 602 comprises client-side application activities, such asloading documents for editing or viewing in a user interface, andproviding chunks of those documents for classification. In operation614, a client application can provide one or more end-user experiencesto process user content, edit user content, or view user content, amongother operations. Operation 614 can also provide annotation andobfuscation processes that are discussed later. Operation 615 providesportions of this user content to a shared DLP service for classificationof the user content. In some examples, the portions comprise flattenedchunks of user content that is stripped of associated structure orhierarchy from the original document.

Sub-process 603 comprises classification of user content to detectsensitive data among the user content, as well as annotation of thissensitive data to a user. In operation 616, various detection rules areapplied, such as regular expressions discussed below in FIG. 7, amongother detection rules and processes. If sensitive data is found, thenoperation 617 determines if a user should be notified. The notificationmight not occur if the quantity of sensitive data falls below an alertthreshold quantity. However, if the user is to be alerted, thenoperation 619 can calculate locations of the sensitive data withindetected regions of the structured data. As discussed herein, a mappingprocess can be employed to determine specific locations of sensitivedata within structured elements or hierarchical elements from flatteneddata offsets and lengths of the sensitive data strings or portions. Oncethese specific locations are determined, then operation 618 can displaythe locations to the user. Annotations or other highlighting userinterface elements are employed to signal the user that sensitive datais present among the user content.

Sub-process 604 comprises obfuscation of sensitive data within the usercontent comprising the structured or hierarchical elements. In operation621, user input can be received to replace at least one instance ofsensitive data with ‘safe’ or obfuscated data/text. When a user is showna highlighted region demonstrating a piece of sensitive data that causedan annotation or ‘policy tip’ to appear, the user can be presented withan option to replace the sensitive data with ‘safe text’ that obfuscatesthe sensitive data. Depending on the choices made by the entitiesinitially setting the policies in operation 611, operations 622 and 624determines and generates one or more replacement or obfuscation rules.The obfuscation rules may be used for replacing an internal codenamewith a marketing approved name, used to obfuscate personallyidentifiable information (PII) with boilerplate names, may be used toreplace numeric sensitive data with a set of characters that indicate tofuture viewers of the document regarding the type of sensitive data(i.e. credit card numbers, social security numbers, vehicleidentification numbers, among others) without revealing the actualsensitive data. Operation 623 replaces the sensitive data with theobfuscated data. The obfuscated data may be used to replace numericsensitive data with a set of characters that could be used to confirm adata scheme or content type, but remain insufficient for deriving theoriginal data even by a determined individual (i.e. to determine thatthe content piece is a SSN but not reveal the actual SSN). Users canperform individual or single-instance replacement of sensitive contentwith obfuscated text, or bulk replacement from a user interface thatshows multiple instances of sensitive content.

Replacement of sensitive content, such as text or alphanumericalcontent, might be done with regular expressions, or alternatively vianondeterministic finite automata (NFA), deterministic finite automata(DFA), push down automata (PDA), Turing Machines, arbitrary functionalcode, or other processes. Replacement of sensitive content typicallycomprises pattern matching among text or content. This pattern matchingcan leave unmasked characters or content by considering if the targetpattern has the ability for multiple characters to exist in a specifiedlocation in a string and those characters need not be masked, such asfor delimiter characters. For example, the string “123-12-1234” mightbecome “xxx-xx-xxxx” and string “123 12 1234” might become “xxx xx xxxx”after a masking process. This pattern matching can also keep certainportions discernable for uniqueness purposes, such as with the lastpredetermined number of digits of a credit card number or SSN. Forexample, “1234-1234-1234-1234” might become “xxxx-xxxx-xxxx-1234” aftera masking process. For code name masking/replacement, not all aspectsare patterns and may indeed be internal code names or other keywords.For example, a code name “Whistler” might become “Windows XP” after amasking process. Moreover, patterns that replace a varying number ofcharacters with safe text can be permitted to keep a length consistentor to set the length to a known constant. For example, the same rule canturn “1234-1234-1234-1234” into “xxxx-xxxx-xxxx-1234” and“xxxxx-xxxxx-x1234” after a masking process. This might require apattern that contains sufficient data to handle any of these case.Regular expressions can handle such scenarios by augmenting the regularexpression by surrounding each atom matching expression withparenthesis, and keeping track of which augmented ‘match’ statements arepaired with which ‘replace’ statements. Further examples of regularexpression matching are seen in FIG. 7 below.

To maintain the integrity of annotation and classification processesamong more than one document/file, various processes can be established.Detection/classification, annotation, and obfuscation rules and policiesare not typically included in the document files. This allows forchanges to the policies and prevents reverse-engineering of theobfuscation techniques. For example, if a user saves a document, thencloses and loads the same document, then the rules for what parts of thedocument contain the sensitive data necessary to consider the sensitivedata presence a policy issue may have changed. In addition, annotationflags should not be included in clipboard operations, such as cut, copy,or paste. If a user were to copy content from one document and pasteinto another, that second document might have differentdetection/classification, annotation, and obfuscation rules applied. Ifa user were to content text from a first document and paste into asecond document, then the first document annotations should beconsidered irrelevant until re-classified. Even if a user were to copycontent from one document into the same document, any counts of thesensitive content might shift and what needs to be highlightedthroughout the document might change.

FIG. 7 illustrates flow diagram 700 to further illustrate the operationof the elements of FIGS. 1-3. FIG. 7 focuses on regular expressionoperations during sensitive data obfuscation processes. In FIG. 7, givena regular expression (regex), such as the fictional driver's licenseexample regular expression 730, and a string that matches it, a fullmatch can be generated by at least augmenting the regular expression bysurrounding each separable character matching expression withparenthesis (e.g., each atom), as indicated in operation 711. Theaugmented regular expression can then be re-applied or executed inoperation 712 to perform an obfuscation or masking process. For eachmatch, operations 713-714 determine the broadest and narrowest sets ofcharacters actually matched. For example, when the character matched is“−” the character is narrow since it is a single character. When thecharacter matched is the set of all alphabetic characters, it is broad.The absolute count of characters that could be in any region is the keydeterminer. An obfuscation process in operation 715 can replacecharacters according to a match broadness. For those characters matchedthat are single characters, an obfuscation process can make no change.For those characters matched that are in broad groups, an obfuscationprocess replaces the characters with a ‘safe’ character that's not amember of the set. For example, a set of all letters becomes “0,” a setof all numbers become “X,” and mixed alphanumeric content becomes “?,”with a fallback list of characters to use until exhausted. Once the textor content has been through an obfuscation or masking process, operation716 confirms that the text or content has been successfully renderedobfuscated when the new text/content string no longer matches theoriginal regex.

FIG. 8 illustrates graph diagram 800 to further illustrate the operationof the elements of FIGS. 1-3. FIG. 8 focuses on enhanced thresholdprocesses used in the annotation of sensitive data in user interfaces.The operations of FIG. 8 can comprise enhanced hysteresis operations forannotating sensitive data, and various thresholds or annotation rulescan be set up by policy administrators or users, among other entities.

FIG. 8 includes graph 800 that includes a vertical axis indicating aquantity of sensitive data/content items present in a document, and ahorizontal axis indicating time. A first threshold 820 is establishedwhich can initiate presentation or removal of the annotations ofsensitive content in a user interface. A second threshold 822 can beestablished which can also initiate presentation or removal of theannotations of sensitive content. An elasticity factor 821 andresiliency property 823 can be established to modify behavior of thefirst and second thresholds.

When sensitive data has been annotated in a user interface, such as byflags, markings, or highlighting, a user might edit the sensitivecontent to fix sensitive content issues (such as by selecting one ormore obfuscation options). However, once a threshold number of sensitivecontent issues have been resolved, there might not be sufficientremaining instances of an issue to warrant annotation of the document asbeing overall in contravention of sensitive content rules for theorganization or save location. Likewise, when new sensitive content isintroduced into a document, there might be sufficient instances towarrant annotation of the document to indicate the sensitive content toa user.

During content edit processes by users, enabling and disabling ofannotation indicators for one or more content elements can be based atleast in part on a current quantity of the content elements with regardto annotation rules. Annotation rules can comprise at least firstthreshold quantity 820, elasticity factor 821 for modifying firstthreshold quantity 820 to a second threshold quantity 822 when enabled,and an indication of a threshold resiliency or ‘stickiness’ property 823indicating when second threshold quantity 822 overrides first thresholdquantity 820. An annotation service, such as annotator 212 can determineor identify annotation rules such as policy rules 513 and actions 514discussed in FIG. 5 that are established for target entities associatedwith the content editing. The target entities can include usersperforming the content editing, an organization that comprises the userperforming the content editing, or an application type of the userapplication, among others. During user editing of a document thatcontains sensitive content or potentially might contain sensitivecontent, annotator 212 monitors user content in an associated user datafile presented for content editing in a user interface to the userapplication. Annotator 212 identifies a quantity of content elementscontaining sensitive content among the user content corresponding to oneor more predetermined data schemes discussed herein. The contentelements might include cells, objects, shapes, words, or other datastructural or data hierarchical elements.

During the editing, and based at least on the quantity of contentelements exceeding a first threshold quantity, annotator 212 initiatespresentation of at least one annotation indicator in the user interfacethat flags the user content in the user interface as containing at leastfirst sensitive content. In FIG. 8 (starting with the annotations in an‘off’ state), first threshold 820 indicates an example quantity of ‘8’at transition point 830 as triggering presentation of annotationindicators in a user interface. The quantity of content elements withsensitive content can increase, such as by user editing, and then mightdecrease after a user sees that sensitive content is present and beginsselecting obfuscation options to mask this sensitive content.

Based at least on the quantity of content elements initially exceedingfirst threshold quantity 820 and subsequently falling below firstthreshold quantity 820 when elasticity factor 821 is applied to firstthreshold quantity 820, annotator 212 establishes second thresholdquantity 822 based at least on the elasticity factor. When secondthreshold quantity 822 is active (i.e. when elasticity factor 821applies to first threshold quantity 820), then second threshold quantity822 is used to initiate removal of the presentation of the at least oneannotation indicator when the quantity falls below second thresholdquantity 822, as seen in transition point 832. However, based at leaston the quantity of content elements initially exceeding first thresholdquantity 820 and subsequently falling below first threshold quantity 820when the elasticity factor is not applied to first threshold quantity820, presentation of the at least one annotation indicator is removed,as indicated by transition point 831.

Elasticity factor 821 can comprise a percent ranging from 0-100 percent,or another metric. In a specific example, an annotation rule might beestablished that defines inclusion of over 100 SSNs in a documentviolates corporate policy. During editing of a document that exceeds 100SSNs, then an annotation rule for a first threshold quantity mightprompt highlighting of all of the SSNs in the document. As a user startsobfuscating the SSNs, the quantity of remaining un-obfuscated SSNs willbe reduced. The elasticity factor can maintain annotation orhighlighting of the SSNs even if first threshold quantity 820 thattriggered the annotation is no longer met, such as when 99 SSNs remainun-obfuscated. An elasticity factor of 100 would correspond to anunmodified first threshold quantity, and an elasticity of 0 wouldcorrespond to the annotations never being removed until all SSNs areobfuscated. An intermediate value of 50 for the elasticity factor wouldcorrespond to removal of the annotations once the 50th entry is fixedafter the annotations had initially been triggered to be presented.Thus, in the example in FIG. 8, the elasticity factor establishes asecond threshold quantity for removal of the annotations once theannotations have been presented to a user. In this example, secondthreshold quantity 822 is at ‘2’ and thus when the remaining sensitivecontent issues fall below ‘2’ remaining, the annotations will beremoved, as indicated by transition point 832.

If second threshold quantity 822 has been fallen below, and thenadditional sensitive content issues arise during content editing, thenannotator 212 must decide when to alert the user by presenting theannotations again. Based at least on the quantity of content elementsinitially falling below second threshold quantity 822 and subsequentlyexceeding second threshold quantity 822 when threshold resiliencyproperty 823 is applied to second threshold quantity 822, annotator 212initiates presentation of further annotations in the user interface thatflags the user content in the user interface as containing sensitivecontent, as indicated by transition point 833.

Resiliency property 823 comprises a ‘stickiness’ property for secondthreshold quantity 822, and is defined by an on/off or Booleancondition. When disabled, second threshold quantity 822 is not used forre-presenting the annotations if exceeded. When enabled, secondthreshold quantity 822 is used for re-presenting the annotations ifexceeded. Therefore, based at least on the quantity of content elementsinitially falling below second threshold quantity 822 and subsequentlyexceeding second threshold quantity 822 when the resiliency property isnot applied to second threshold quantity 822, annotator 212 withholdspresentation of the annotations that flags the user content in the userinterface as containing at least the sensitive content until thequantity of content elements exceeds first threshold quantity 820 again.

Turning now to FIG. 9, computing system 901 is presented. Computingsystem 901 that is representative of any system or collection of systemsin which the various operational architectures, scenarios, and processesdisclosed herein may be implemented. For example, computing system 901can be used to implement any of user platform 110 or DLP platform 120 ofFIG. 1. Examples of computing system 901 include, but are not limitedto, server computers, cloud computing systems, distributed computingsystems, software-defined networking systems, computers, desktopcomputers, hybrid computers, rack servers, web servers, cloud computingplatforms, and data center equipment, as well as any other type ofphysical or virtual server machine, and other computing systems anddevices, as well as any variation or combination thereof. When portionsof computing system 901 are implemented on user devices, example devicesinclude smartphones, laptop computers, tablet computers, desktopcomputers, gaming systems, entertainment systems, and the like.

Computing system 901 may be implemented as a single apparatus, system,or device or may be implemented in a distributed manner as multipleapparatuses, systems, or devices. Computing system 901 includes, but isnot limited to, processing system 902, storage system 903, software 905,communication interface system 907, and user interface system 908.Processing system 902 is operatively coupled with storage system 903,communication interface system 907, and user interface system 908.

Processing system 902 loads and executes software 905 from storagesystem 903. Software 905 includes application DLP environment 906 and/orshared DLP environment 909, which is representative of the processesdiscussed with respect to the preceding Figures. When executed byprocessing system 902 to process user content for identification,annotation, and obfuscation of sensitive content, software 905 directsprocessing system 902 to operate as described herein for at least thevarious processes, operational scenarios, and environments discussed inthe foregoing implementations. Computing system 901 may optionallyinclude additional devices, features, or functionality not discussed forpurposes of brevity.

Referring still to FIG. 9, processing system 902 may comprise amicroprocessor and processing circuitry that retrieves and executessoftware 905 from storage system 903. Processing system 902 may beimplemented within a single processing device, but may also bedistributed across multiple processing devices or sub-systems thatcooperate in executing program instructions. Examples of processingsystem 902 include general purpose central processing units, applicationspecific processors, and logic devices, as well as any other type ofprocessing device, combinations, or variations thereof.

Storage system 903 may comprise any computer readable storage mediareadable by processing system 902 and capable of storing software 905.Storage system 903 may include volatile and nonvolatile, removable andnon-removable media implemented in any method or technology for storageof information, such as computer readable instructions, data structures,program modules, or other data. Examples of storage media include randomaccess memory, read only memory, magnetic disks, resistive memory,optical disks, flash memory, virtual memory and non-virtual memory,magnetic cassettes, magnetic tape, magnetic disk storage or othermagnetic storage devices, or any other suitable storage media. In nocase is the computer readable storage media a propagated signal.

In addition to computer readable storage media, in some implementationsstorage system 903 may also include computer readable communicationmedia over which at least some of software 905 may be communicatedinternally or externally. Storage system 903 may be implemented as asingle storage device, but may also be implemented across multiplestorage devices or sub-systems co-located or distributed relative toeach other. Storage system 903 may comprise additional elements, such asa controller, capable of communicating with processing system 902 orpossibly other systems.

Software 905 may be implemented in program instructions and among otherfunctions may, when executed by processing system 902, direct processingsystem 902 to operate as described with respect to the variousoperational scenarios, sequences, and processes illustrated herein. Forexample, software 905 may include program instructions for implementingthe dataset processing environments and platforms discussed herein.

In particular, the program instructions may include various componentsor modules that cooperate or otherwise interact to carry out the variousprocesses and operational scenarios described herein. The variouscomponents or modules may be embodied in compiled or interpretedinstructions, or in some other variation or combination of instructions.The various components or modules may be executed in a synchronous orasynchronous manner, serially or in parallel, in a single threadedenvironment or multi-threaded, or in accordance with any other suitableexecution paradigm, variation, or combination thereof. Software 905 mayinclude additional processes, programs, or components, such as operatingsystem software or other application software, in addition to or thatinclude application DLP environment 906 or shared DLP environment 909.Software 905 may also comprise firmware or some other form ofmachine-readable processing instructions executable by processing system902.

In general, software 905 may, when loaded into processing system 902 andexecuted, transform a suitable apparatus, system, or device (of whichcomputing system 901 is representative) overall from a general-purposecomputing system into a special-purpose computing system customized tofacilitate enhanced processing of user content for identification,annotation, and obfuscation of sensitive content. Indeed, encodingsoftware 905 on storage system 903 may transform the physical structureof storage system 903. The specific transformation of the physicalstructure may depend on various factors in different implementations ofthis description. Examples of such factors may include, but are notlimited to, the technology used to implement the storage media ofstorage system 903 and whether the computer-storage media arecharacterized as primary or secondary storage, as well as other factors.

For example, if the computer readable storage media are implemented assemiconductor-based memory, software 905 may transform the physicalstate of the semiconductor memory when the program instructions areencoded therein, such as by transforming the state of transistors,capacitors, or other discrete circuit elements constituting thesemiconductor memory. A similar transformation may occur with respect tomagnetic or optical media. Other transformations of physical media arepossible without departing from the scope of the present description,with the foregoing examples provided only to facilitate the presentdiscussion.

Application DLP environment 906 or shared DLP environment 909 eachincludes one or more software elements, such as OS 921/931 andapplications 922/932. These elements can describe various portions ofcomputing system 901 with which users, data sources, data services, orother elements, interact. For example, OS 921/931 can provide a softwareplatform on which application 922/932 is executed and allows forprocessing user content for identification, annotation, and obfuscationof sensitive content, among other functions.

In one example, DLP service 932 includes content apportioner 924,annotator 925, mapper 926, and obfuscator 927. Content apportioner 924flattens structured or hierarchical user content elements into linearchunks for processing by a classification service. Annotator 925graphically highlights sensitive data or content in a user interface sothat users can be alerted to the presence of a threshold amount ofsensitive data. Mapper 926 can derive specific locations among thedocuments for the sensitive data annotations, such as when onlyoffsets/lengths/IDs are provided by a classification service to localizesensitive data in various structural or hierarchical elements of thedocument. Obfuscator 927 presents obfuscation options formasking/replacing of user content that has been identified as sensitivedata. Obfuscator 927 also replaces the sensitive content responsive touser selections of obfuscation options.

In another example, DLP service 933 includes classification service 934,tracker 935, policy/rules module 936, and regex service 937.Classification service 934 parses through linear chunks of data orcontent to identify sensitive data. Tracker 935 maintains counts orquantities of sensitive data items found by classification service 934,and indicates the sensitive data offsets and lengths to a mapper forannotation in a document (such as mapper 926 and annotator 925).Policy/rules module 936 can receive and maintain various policies andrules for annotation, classification, detection, obfuscation, or otheroperations on user content. Regex service 937 comprises one exampleclassification technique using regular expression matching to identifysensitive data using data patterns or data schemes, and to replace textof the matched content with obfuscated content.

Communication interface system 907 may include communication connectionsand devices that allow for communication with other computing systems(not shown) over communication networks (not shown). Examples ofconnections and devices that together allow for inter-systemcommunication may include network interface cards, antennas, poweramplifiers, RF circuitry, transceivers, and other communicationcircuitry. The connections and devices may communicate overcommunication media to exchange communications with other computingsystems or networks of systems, such as metal, glass, air, or any othersuitable communication media. Physical or logical elements ofcommunication interface system 907 can receive datasets from telemetrysources, transfer datasets and control information between one or moredistributed data storage elements, and interface with a user to receivedata selections and provide visualized datasets, among other features.

User interface system 908 is optional and may include a keyboard, amouse, a voice input device, a touch input device for receiving inputfrom a user. Output devices such as a display, speakers, web interfaces,terminal interfaces, and other types of output devices may also beincluded in user interface system 908. User interface system 908 canprovide output and receive input over a network interface, such ascommunication interface system 907. In network examples, user interfacesystem 908 might packetize display or graphics data for remote displayby a display system or computing system coupled over one or more networkinterfaces. Physical or logical elements of user interface system 908can receive classification rules or policies from users or policypersonnel, receive data editing activity from users, present sensitivecontent annotations to users, provide obfuscation options to users, andpresent obfuscated user content to users, among other operations. Userinterface system 908 may also include associated user interface softwareexecutable by processing system 902 in support of the various user inputand output devices discussed above. Separately or in conjunction witheach other and other hardware and software elements, the user interfacesoftware and user interface devices may support a graphical userinterface, a natural user interface, or any other type of userinterface.

Communication between computing system 901 and other computing systems(not shown), may occur over a communication network or networks and inaccordance with various communication protocols, combinations ofprotocols, or variations thereof. Examples include intranets, internets,the Internet, local area networks, wide area networks, wirelessnetworks, wired networks, virtual networks, software defined networks,data center buses, computing backplanes, or any other type of network,combination of network, or variation thereof. The aforementionedcommunication networks and protocols are well known and need not bediscussed at length here. However, some communication protocols that maybe used include, but are not limited to, the Internet protocol (IP,IPv4, IPv6, etc.), the transmission control protocol (TCP), and the userdatagram protocol (UDP), as well as any other suitable communicationprotocol, variation, or combination thereof.

Certain inventive aspects may be appreciated from the foregoingdisclosure, of which the following are various examples.

Example 1: A method of providing a data obfuscation framework for a userapplication, the method comprising providing user content to aclassification service configured to process the user content toclassify portions of the user content as comprising sensitive contentcorresponding to one or more predetermined data schemes, and receivingfrom the classification service indications of one or more portions ofthe user content that contain the sensitive content. The method includespresenting graphical indications in a user interface to the userapplication that annotate the one or more portions of the user contentas containing the sensitive content, and presenting obfuscation optionsin the user interface for masking the sensitive content within at leasta selected portion among the one or more portions of the user content.Responsive to a user selection of at least one of the obfuscationoptions, the method includes replacing associated user content withobfuscated content that maintains a data scheme of the associated usercontent.

Example 2: The method of Example 1, further comprising presenting theobfuscation options as comprising a first option to mask the sensitivecontent within the selected portion and a second option to mask thesensitive content within the selected portion and further portions ofthe user content comprising further sensitive content having a similardata scheme as the selected portion.

Example 3: The method of Examples 1-2, further comprising presenting theobfuscation options as indicating at least an example obfuscated versionof target user content within the selected portion.

Example 4: The method of Examples 1-3, where the graphical indicationsthat annotate the one or more portions of the user content compriseindicators positioned proximate to the one or more portions that areselectable in the user interface to present the obfuscation options.

Example 5: The method of Examples 1-4, where the obfuscated content thatmaintains the data scheme of the associated user content comprisessymbols selected based in part on the data scheme of the associated usercontent to prevent identification of the associated user content whilemaintaining the data scheme of the associated user content.

Example 6: The method of Examples 1-5, further comprising responsive toreplacing the associated user content with the obfuscated content,providing the obfuscated content to the classification service toconfirm the obfuscated content does not contain further sensitivecontent.

Example 7: The method of Examples 1-6, where the one or morepredetermined data schemes are defined by one or more regularexpressions used to parse the user content to identify the portions asbeing indicative of one or more predetermined content patterns or one ormore predetermined content types.

Example 8: The method of Examples 1-7, where the one or morepredetermined data schemes each comprise first portions to be obfuscatedand second portions to remain non-obfuscated, the first portions to beobfuscated corresponding to locations having more than one allowedcharacter, and the second portions to remain non-obfuscated having onlyone allowed character comprising a delimiter character. The methodfurther comprising identifying if a part of the first portions aredesignated to remain discernable for uniqueness after obfuscation, anddesignating the part to remain un-obfuscated.

Example 9: A data obfuscation framework for a user application,comprising one or more computer readable storage media, a processingsystem operatively coupled with the one or more computer readablestorage media, and program instructions stored on the one or morecomputer readable storage media. Based at least on being read andexecuted by the processing system, the program instructions direct theprocessing system to at least provide user content to a classificationservice configured to process the user content to classify portions ofthe user content as comprising sensitive content corresponding to one ormore predetermined data schemes, and receive from the classificationservice indications of one or more portions of the user content thatcontain the sensitive content. Based at least on being read and executedby the processing system, the program instructions further direct theprocessing system to at least present graphical indications in a userinterface to the user application that annotate the one or more portionsof the user content as containing the sensitive content, presentobfuscation options in the user interface for masking the sensitivecontent within at least a selected portion among the one or moreportions of the user content, and responsive to a user selection of atleast one of the obfuscation options, replace associated user contentwith obfuscated content that maintains a data scheme of the associateduser content.

Example 10: The data obfuscation framework of Example 9, comprisingfurther program instructions, based at least on being read and executedby the processing system, direct the processing system to at leastpresent the obfuscation options as comprising a first option to mask thesensitive content within the selected portion and a second option tomask the sensitive content within the selected portion and furtherportions of the user content comprising further sensitive content havinga similar data scheme as the selected portion.

Example 11: The data obfuscation framework of Examples 9-10, comprisingfurther program instructions, based at least on being read and executedby the processing system, direct the processing system to at leastpresent the obfuscation options as indicating at least an exampleobfuscated version of target user content within the selected portion.

Example 12: The data obfuscation framework of Examples 9-11, where thegraphical indications that annotate the one or more portions of the usercontent comprise indicators positioned proximate to the one or moreportions that are selectable in the user interface to present theobfuscation options.

Example 13: The data obfuscation framework of Examples 9-12, where theobfuscated content that maintains the data scheme of the associated usercontent comprises symbols selected based in part on the data scheme ofthe associated user content to prevent identification of the associateduser content while maintaining the data scheme of the associated usercontent.

Example 14: The data obfuscation framework of Examples 9-13, comprisingfurther program instructions, based at least on being read and executedby the processing system, direct the processing system to at least,responsive to replacing the associated user content with the obfuscatedcontent, provide the obfuscated content to the classification service toconfirm the obfuscated content does not contain further sensitivecontent.

Example 15: The data obfuscation framework of Examples 9-14, where theone or more predetermined data schemes are defined by one or moreregular expressions used to parse the user content to identify theportions as being indicative of one or more predetermined contentpatterns or one or more predetermined content types.

Example 16: The data obfuscation framework of Examples 9-15, where theone or more predetermined data schemes each comprise first portions tobe obfuscated and second portions to remain non-obfuscated, the firstportions to be obfuscated corresponding to locations having more thanone allowed character, and the second portions to remain non-obfuscatedhaving only one allowed character comprising a delimiter character. Thedata obfuscation framework comprising further program instructions,based at least on being read and executed by the processing system,direct the processing system to at least identify if a part of the firstportions are designated to remain discernable for uniqueness afterobfuscation, and designate the part to remain un-obfuscated.

Example 17: A method of operating a user application, the methodcomprising providing user content of a user data file to aclassification service configured to process the user content toclassify one or more portions of the user content as comprisingsensitive content corresponding to one or more data schemes, andpresenting indicators in a user interface that flag the one or moreportions of the user content as containing the sensitive content, wherethe indicators are positioned proximate to the one or more portions andare selectable in the user interface to present obfuscation options.Responsive to selection of a first of the indicators, the methodincludes presenting first obfuscation options in the user interface forreplacing associated sensitive content within a first portion of theuser content flagged by the first of the indicators. Responsive to auser selection of at least one of the first obfuscation options, themethod includes replacing the associated sensitive content withobfuscated content that maintains a data scheme of the associatedsensitive content.

Example 18: The method of Example 17, further comprising presenting thefirst obfuscation options as comprising a first option to replace theassociated sensitive content with the obfuscated content and a secondoption to replace the associated sensitive content and further sensitivecontent of the user data file having a similar data scheme as theassociated sensitive content.

Example 19: The method of Examples 17-18, where the obfuscated contentthat maintains the data scheme of the associated sensitive contentcomprises one or more symbols selected to prevent identification of theassociated sensitive content while maintaining the data scheme of theassociated user content, where the one or more symbols are selectedbased in part on the data scheme of the associated sensitive content.

Example 20: The method of Examples 17-19, where the one or more dataschemes each comprise first portions to be obfuscated and secondportions to remain non-obfuscated, the first portions to be obfuscatedcorresponding to locations having more than one allowed character, andthe second portions to remain non-obfuscated having only one allowedcharacter comprising a delimiter character. The method furthercomprising identifying if a part of the first portions are designated toremain discernable for uniqueness after obfuscation, and designating thepart to remain un-obfuscated.

The functional block diagrams, operational scenarios and sequences, andflow diagrams provided in the Figures are representative of exemplarysystems, environments, and methodologies for performing novel aspects ofthe disclosure. While, for purposes of simplicity of explanation,methods included herein may be in the form of a functional diagram,operational scenario or sequence, or flow diagram, and may be describedas a series of acts, it is to be understood and appreciated that themethods are not limited by the order of acts, as some acts may, inaccordance therewith, occur in a different order and/or concurrentlywith other acts from that shown and described herein. For example, thoseskilled in the art will understand and appreciate that a method couldalternatively be represented as a series of interrelated states orevents, such as in a state diagram. Moreover, not all acts illustratedin a methodology may be required for a novel implementation.

The descriptions and figures included herein depict specificimplementations to teach those skilled in the art how to make and usethe best option. For the purpose of teaching inventive principles, someconventional aspects have been simplified or omitted. Those skilled inthe art will appreciate variations from these implementations that fallwithin the scope of the disclosure. Those skilled in the art will alsoappreciate that the features described above can be combined in variousways to form multiple implementations. As a result, the invention is notlimited to the specific implementations described above, but only by theclaims and their equivalents.

What is claimed is:
 1. A method, comprising: providing user content to aclassification service; receiving from the classification service anindication of at least a portion of the user content that containssensitive content corresponding to at least one data scheme; beforemasking of the sensitive content, presenting graphical annotations in auser interface that indicate at least the portion of the user content ascontaining the sensitive content; responsive to a user selection withina user application of an obfuscation option associated with thegraphical annotations for masking the sensitive content, replacingassociated user content with obfuscated content that maintains the atleast one data scheme of the associated user content and comprisessymbols to prevent identification of the associated user content whilemaintaining the at least one data scheme of the associated user content.2. The method of claim 1, further comprising: presenting the obfuscationoption in the user interface for masking the sensitive content.
 3. Themethod of claim 1, wherein the graphical indications that annotate atleast the portion of the user content comprise indicators positionedproximate to the sensitive content that are selectable in the userinterface to present the obfuscation option.
 4. The method of claim 1,further comprising: presenting the obfuscation option in a userinterface for the user application as comprising a first option to maskthe sensitive content within the portion of the user content and asecond option to mask the sensitive content within the portion andadditional portions of the user content comprising additional sensitivecontent having a similar data scheme as the portion.
 5. The method ofclaim 1, wherein the obfuscation option indicates at least an exampleobfuscated version of target user content within at least the portion.6. The method of claim 1, wherein the at least one data scheme isdefined by one or more regular expressions used to parse the usercontent to identify the portions as being indicative of at least onepredetermined content pattern or at least one predetermined contenttype.
 7. The method of claim 1, wherein the at least one data schemecomprises a first portion to be obfuscated with a symbolic character anda second portion to remain non-obfuscated with a delimiter character. 8.An apparatus, comprising: one or more non-transitory computer readablestorage media; a processing system operatively coupled with the one ormore non-transitory computer readable storage media; and programinstructions stored on the one or more non-transitory computer readablestorage media that, based at least on being read and executed by theprocessing system, direct the processing system to at least: provideuser content to a classification service; receive from theclassification service an indication of at least a portion of the usercontent that contains sensitive content corresponding to at least onedata scheme; before masking of the sensitive content, present graphicalannotations in a user interface that indicate at least the portion ofthe user content as containing the sensitive content; responsive to auser selection of an obfuscation option associated with the graphicalannotations for masking the sensitive content, replacing associated usercontent with obfuscated content that maintains the at least one datascheme of the associated user content and comprises symbols to preventidentification of the associated user content while maintaining the atleast one data scheme of the associated user content.
 9. The apparatusof claim 8, comprising further program instructions, based at least onbeing read and executed by the processing system, direct the processingsystem to at least: presenting the obfuscation option in the userinterface for masking the sensitive content.
 10. The apparatus of claim9, wherein the graphical indications that annotate at least the portionof the user content comprise indicators positioned proximate to thesensitive content that are selectable in the user interface to presentthe obfuscation option.
 11. The apparatus of claim 8, comprising furtherprogram instructions, based at least on being read and executed by theprocessing system, direct the processing system to at least: present theobfuscation option in a user interface for as comprising a first optionto mask the sensitive content within the portion of the user content anda second option to mask the sensitive content within the portion andadditional portions of the user content comprising additional sensitivecontent having a similar data scheme as the portion.
 12. The apparatusof claim 8, wherein the obfuscation option indicate at least an exampleobfuscated version of target user content within at least the portion.13. The apparatus of claim 8, wherein the at least one data scheme isdefined by one or more regular expressions used to parse the usercontent to identify the portions as being indicative of at least onepredetermined content pattern or at least one predetermined contenttype.
 14. The apparatus of claim 8, wherein the at least one data schemecomprises a first portion to be obfuscated with a symbolic character anda second portion to remain non-obfuscated with a delimiter character.15. A method, comprising: providing user content of a user data file toa classification service; receiving, from the classification service,indications of at least a portion of the user content as comprisingsensitive content corresponding to at least one data scheme; beforemasking of the sensitive content, presenting annotations in a userinterface that flag the sensitive content; responsive to selection of anobfuscation option associated with at least one of the annotations,replacing associated sensitive content with obfuscated content thatmaintains the at least one data scheme of the associated sensitivecontent and comprises at least one symbol selected to preventidentification of the associated sensitive content while maintaining thedata scheme of the associated user content.
 16. The method of claim 15,further comprising: presenting a first obfuscation option to replace theassociated sensitive content with the obfuscated content and a secondobfuscation option to replace the associated sensitive content andadditional sensitive content of the user data file having a similar datascheme as the associated sensitive content.
 17. The method of claim 15,wherein the at least one data scheme comprises a first portion to beobfuscated with a symbolic character and a second portion to remainnon-obfuscated with a delimiter character.